source: bearmail/lib/BearMail/Web/Login.pm @ 500

Last change on this file since 500 was 500, checked in by zecrazytux, 10 years ago

Added a lock and enhanced mailmap writing mechanism

File size: 2.8 KB
Line 
1package BearMail::Web::Login;
2
3# Copyright (C) 2009 Bearstech - http://bearstech.com/
4#
5# This program is free software: you can redistribute it and/or modify
6# it under the terms of the GNU General Public License as published by
7# the Free Software Foundation, either version 3 of the License, or
8# (at your option) any later version.
9#
10# This program is distributed in the hope that it will be useful,
11# but WITHOUT ANY WARRANTY; without even the implied warranty of
12# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13# GNU General Public License for more details.
14#
15# You should have received a copy of the GNU General Public License
16# along with this program.  If not, see <http://www.gnu.org/licenses/>.
17
18# Login webui page - part of bearmail
19
20use strict;
21use base 'BearMail::Web';
22use Digest::MD5 qw(md5_hex);
23
24sub login : StartRunMode {
25    my $self = shift;
26
27    my $q = $self->query;
28    my $email = $q->param('email') || '';
29    my $pass  = $q->param('password') || '';
30
31    # We can't proceed with login if we don't have both params
32    return $self->login_page() if $email eq '' or $pass eq '';
33
34    # FIXME: need to handle simple user login too
35
36    # First check simple domain login
37    my $domain_pass = $self->{b}->get_postmasters()->{$email};
38    return $self->login_ok($email, 'postmaster')
39        if defined $domain_pass and $domain_pass eq md5_hex($pass);
40
41    # Then try master password, but only on amdin|root logins to prevent
42    # users discovering domain/master password collisiona by accident
43    my $master_pass = $self->cfg('master_password');
44    return $self->login_ok($email, 'admin')
45        if defined $master_pass and $master_pass eq md5_hex($pass) and
46           $email =~ /^(admin(inistrator)?|root)$/i;
47
48    if((defined $domain_pass) or ($email =~ /^(admin(inistrator)?|root)$/i)) {
49      return $self->login_page("password");
50    } else {
51      return $self->login_page("email");
52    }
53}
54
55sub login_page {
56    my $self = shift;
57    my $error = shift;
58
59    my $tmpl = $self->load_tmpl('login.html');
60    $tmpl->param("error_".$error => 1) if $error;
61
62    return $tmpl->output;
63}
64
65sub login_ok {
66    my $self = shift;
67    my ($user, $level) = @_;
68
69    # Store authentified user in session (privileges should be checked at
70    # every operation instead of being stored in s{level}, FIXME)
71    $self->session->param('user', $user);
72    $self->session->param('level', $level);
73    $self->session->flush();
74
75    # Redirect to the original page the user intended to go, or some fitting
76    # default page depending on user privileges.
77    my %default = (
78      user       => 'address_edit',
79      postmaster => 'address_list',
80      admin      => 'domain_list',
81    );
82    my $intent = $self->session->param('intent') || $default{$level};
83    return $self->redirect($self->url($intent));
84}
85
861;
Note: See TracBrowser for help on using the repository browser.